https://community.cisco.com/t5/network-access-control/acs-error-messages/m-p/1271578#M348166 <HTML><HEAD></HEAD><BODY><P>The RADIUS protocol includes a message-id field so that the server can spot re-sent packets.</P><P></P><P>When you see the 1st message it means ACS is seeing message ids that it thinks are currently processing (it has a list of open ids)</P><P></P><P>I was going to say the most likely cause is an overly aggressive re-try timeout in the WLCS... but you've got that set to 30 seconds which should be enough.</P><P></P><P>Looks to me like something in the ACS backend is hanging which is then causing a cascade of errors like you are seeing.</P><P></P><P>The 2nd message is a result of incoming packets being dropped by ACS. It will result in EAP conversations with bits missing or out of sequence.</P><P></P><P>Can you back off so that just a few clients are authenticated correctly then increase the number?</P></BODY></HTML> Mon, 09 Nov 2009 11:42:08 GMT darpotter 2009-11-09T11:42:08Z https://community.cisco.com/t5/network-access-control/acs-error-messages/m-p/1271577#M348122 <P>Hello -</P><P></P><P>I am receiving the following two ACS failed attempts logs for wireless clients connecting to WLAN using WPA1/PEAP.</P><P></P><P>"NAS duplicated authentication attempt"</P><P></P><P>"EAP-TLS or PEAP authentication failed during SSL handshake"</P><P></P><P>I am seeing these messages for many clients. Same clients show both messages at times. </P><P></P><P>The clients fail authentication and then will succeed at random.</P><P>I am seeing constant flow of these at all times though. </P><P></P><P>I wonder if the ACS is overwhelmed as we have added 770 new clients that use WPA/PEAP recently. It is these clients that most often show up in the log. But other clients show up too.</P><P></P><P>I have the ACS Radius Authentication server timeout set to the max (30 secs) on the WLCS...</P><P></P><P>Does anyone know what these messages indicate?</P><P></P><P>How can I determine if the ACS svr is overwhelmed? Is there a way to quantify it's load? For example, how many requests per second can it handle? etc....</P><P></P><P>Are there any design guides on redundant/HA ACS designs for 1000s of clients?</P><P></P><P>Any input is appreciated.</P><P></P><P>Thanks</P><P></P><P></P> Sun, 10 Mar 2019 23:46:56 GMT https://community.cisco.com/t5/network-access-control/acs-error-messages/m-p/1271577#M348122 c.fuller 2019-03-10T23:46:56Z https://community.cisco.com/t5/network-access-control/acs-error-messages/m-p/1271578#M348166 <HTML><HEAD></HEAD><BODY><P>The RADIUS protocol includes a message-id field so that the server can spot re-sent packets.</P><P></P><P>When you see the 1st message it means ACS is seeing message ids that it thinks are currently processing (it has a list of open ids)</P><P></P><P>I was going to say the most likely cause is an overly aggressive re-try timeout in the WLCS... but you've got that set to 30 seconds which should be enough.</P><P></P><P>Looks to me like something in the ACS backend is hanging which is then causing a cascade of errors like you are seeing.</P><P></P><P>The 2nd message is a result of incoming packets being dropped by ACS. It will result in EAP conversations with bits missing or out of sequence.</P><P></P><P>Can you back off so that just a few clients are authenticated correctly then increase the number?</P></BODY></HTML> Mon, 09 Nov 2009 11:42:08 GMT https://community.cisco.com/t5/network-access-control/acs-error-messages/m-p/1271578#M348166 darpotter 2009-11-09T11:42:08Z